Change log for CHECKPOINT_FIREWALL
Date | Changes |
---|---|
2024-04-19 | Enhancement and Bug-Fix:
- Mapped "origin" to "target.ip" and "target.asset.ip". - Added new Grok patterns to parse new format of SYSLOG logs. - Mapped "smartdefense_profile", "malware_rule_id", and "malware_rule_name" to "security_result.detection_fields". - Mapped "sequencenum", "description_url", "industry_reference", "mitre_execution", "packet_capture_name", "packet_capture_unique_id", "packet_capture_time", and "performance_impact" to "additional.fields". - Mapped "version" to "metadata.product_version". - Mapped "http_host" to "target.resource.attribute.labels". - Mapped "log_id" to "metadata.product_log_id". - Mapped "user_agent" to "network.http.user_agent" and "http.parsed_user_agent". - Mapped "hostname", "dvc", and "principal_hostname" to "target.hostname" and "target.asset.hostname". - If "has_principal" is "true", "has_target" is "true", and "Action"/"action" is "Log In" or "Failed Log In" or "Failed Login" or "Update", then set "metadata.event_type" to "USER_LOGIN" and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". - If "has_principal" is "true", "has_target" is "true", and "Action"/"act"/"event_type" is "Log Out" or "Logout", then set "metadata.event_type" to "USER_LOGOUT" and "extensions.auth.type" to "AUTHTYPE_UNSPECIFIED". - If "has_principal" is "true", "has_target" is "true", then set "metadata.event_type" to "NETWORK_CONNECTION". - If "has_principal" is "true", "has_target" is "false", then set "metadata.event_type" to "STATUS_UPDATE". |
2024-02-07 | Enhancement: Added mapping for the following fields:
- Mapped "protection_id", "malware_action", "malware_family,protection_name", "protection_type" to "security_result.detection_fields". - Mapped "confidence_level" to "security_result.confidence" and "security_result.confidence_details". |
2024-02-05 | Enhancement: Added mapping for the following fields:
- Mapped "method" to "network.http.method". |
2024-01-24 | Enhancement: Added mapping for the following fields:
- Mapped "method" to "network.http.method". - Mapped "duration" to "network.session_duration.seconds". - Mapped "additional_info" to "security_result.description". - Mapped "operation" to "security_result.summary". - Mapped "subject" to "metadata.description". - Mapped "principal_hostname" to "intermediary.hostname". - Mapped "tcp_packet_out_of_state", "aggregated_log_count", "connection_count", "appi_name", "src_user_dn", "update_count", "additional_info", "administrator", "operation", "sendtotrackerasadvancedauditlog", "subject", "fieldschanges", "logic_changes", "objecttype", "session_description", "session_name" to "security_result.detection_fields". |
2023-12-27 | Enhancement: Added mapping for the following fields:
- Mapped "flags" to "security_result.detection_fields". - Mapped "tcp_flags" to "security_result.detection_fields". - Mapped "tcp_packet_out_of_state" to "security_result.detection_fields". |
2023-12-11 | Enhancement:
- If "principal_hostname" is a valid ip, mapped it to "principal.ip". - If "principal_hostname" is not a valid ip, mapped it to "principal.hostname". - Mapped "sport_svc" to "principal.port". - Mapped "ProductFamily" to "additional.fields". - Mapped "mitre_initial_access" to "security_result.detection_fields". - Mapped "policy_time" to "security_result.detection_fields". - Mapped "profile" to "security_result.detection_fields". - Mapped "reject_id_kid" to "security_result.detection_fields". - Mapped "ser_agent_kid" to "security_result.detection_fields". |
2023-10-11 | Enhancement:
- If "product" is "New Anti Virus", then the mapping from "firewall management node" to "principal.hostname" is removed and instead mapped to "security_result.detection_fields". |
2023-07-06 | Enhancement: Added mapping for the following fields:
- Mapped "app_category" to "security_result.category_details". - Mapped "matched_category" to "security_result.detection_fields". - Mapped "app_properties" to "security_result.detection_fields". |
2023-06-14 | Enhancement: Added mapping for following fields
- Mapped "conn_direction" to "additional.fields". - Modified gsub's so as not to replace the ":" with "=" from actual values. |
2023-05-12 | Enhancement: Added mapping for following fields
- Mapped "rule_name" to "security_result.rule_name". - Mapped "rule","sub_policy_name","sub_policy_uid","smartdefense_profile","tags","flexString2" to "security_result.detection_fields". Enhancement: - Added new Grok pattern to support the new log formats. - Mapped "dvc" to "intermediary.hostname". - Mapped "hostname" to "intermediary.hostname". - Mapped "origin_sic_name" to "intermediary.asset_id". - Mapped "conn_direction" to "network.ip_protocol". - Mapped "ifname" to "security_result.detection_fields". - Mapped "security_inzone" to "security_result.detection_fields". - Mapped "match_id" to "security_result.detection_fields". - Mapped "parent_rule" to "security_result.detection_fields". - Mapped "security_outzone" to "security_result.detection_fields". - Mapped "sub_policy_name" to "security_result.detection_fields". - Mapped "sub_policy_uid" to "security_result.detection_fields". - Mapped "drop_reason" to "security_result.summary". - Mapped "reason" to "security_result.summary". - Mapped "xlatesport" to "principal.nat_port". - Mapped "xlatedport" to "target.nat_port". - Mapped "ipv6_dst" to "target.ip". - Mapped "ipv6_src" to "principal.ip". |
2023-04-24 | Enhancement:
- Added support for logs with CEF format. |
2022-11-18 | Enhancement:
- Modified mapping for "service" and mapped it to "target.port". |
2022-10-27 | Enhancement:
- Added conditional check for "attack","attack_info","policy_name". - Added grok pattern to retrieve "principal_hostname". - Added gsub to change "=" to ":". - Modified mapping for "service" and mapped it to "target.resource.attribute.labels". |
2022-10-13 | Enhancement:
- Mapped the field 'fw_subproduct' to 'metadata.product_name'. - Added grok pattern to extract the ip form the field 'src'. |
2022-08-30 | Enhancement:
- Merged the changes of Customer-specific versions to default. - Undropped the logs containing "*****" in UserCheck. |
2022-08-18 | Enhancement:
- Mapped "portal_message" to "security_result.description". - Mapped "security_result.category" as "SOFTWARE_MALICIOUS" in case "portal_message" contains keywords "malware/malicious". - Mapped "URL" to "security_result.about.url". - Mapped "Activity" to "security_result.summary". - Mapped "Reference" to "security_result.about.resource.attribute.labels". - Modified "event_type" from "GENERIC_EVENT" to "STATUS_UPDATE" by replicating the value of "intermediary.ip" to "principal.ip". |
2022-08-12 | Enhancement:
- Mapped "malware_action", "malware_family,protection_name", "protection_type" to "security_result.about.resource.attribute.labels". - Mapped "src_machine_name" to "security_result.detection_fields". |
2022-06-30 | Enhancement:
- Mapped "message_info" to "metadata.description". |
2022-06-17 | Enhancement:
- Added conditional checks for fields "nat_rulenum", "rule", "sent_bytes", "received_bytes", "s_port", "service". - Modified event_types for the following cases: - "GENERIC_EVENT" to "NETWORK_CONNECTION" where "principal.ip or principal.hostname" and "target.ip or target.hostname" are not null. - "GENERIC_EVENT" to "STATUS_UNCATEGORIZED" where "principal.ip or principal.hostname" is not null. |
2022-06-14 | Enhancement:
- Modified the parser to parse more logs by removing the condition check for passwd. |
2022-06-07 | Enhancement:
- Mapped src_machine_name to security_result.detection_fields. |
2022-05-19 | Enhancement:
- Mapped inzone, outzone, layer_name, layer_uuid and policy_name to security_result.detection_fields. - Mapped service_id to principal.application. |